search

Xabaril / AspNetCore.Diagnostics.HealthChecks

Enterprise HealthChecks for ASP.NET Core Diagnostics Package
Apache License 2.0
4.04k stars 791 forks source link

Azure Service Bus Topic hc fails with "Manage,EntityRead claims required for this operation" #555

Open momosoiu opened 4 years ago

momosoiu commented 4 years ago

The Azure Service bus health checks started to fail after upgrade from version 3.1.1 to version 3.2.1 of AspNetCore.HealthChecks.AzureServiceBus

If I change the policy on the topic from Send, Listen to Manage the exception/unhealthy check is gone and it works as expected.

What you expected to happen:

I would expect it to work the same as version 3.1.1, without the need to change the policy. I don't expect the health check to have manage policy. It should at least be optional.

Source code sample:

I am using the health check for topics. 

hcBuilder
                .AddAzureServiceBusTopic(
                    configuration[ApplicationConstants.ServiceBusConnectionString],
                    topicName: configuration[ApplicationConstants.ServiceBusTopic],
                    name: "servicebus-check",
                    tags: new string[] { "servicebus" },
                    failureStatus: HealthStatus.Unhealthy);

The response is:

 "servicebus-check": {
            "data": {},
            "description": "Manage,EntityRead claims required for this operation. ......",
            "duration": "00:00:00.3142384",
            "exception": "Manage,EntityRead claims required for this operation.......",
            "status": "Unhealthy"
        }

Environment:

unaizorrilla commented 4 years ago

Hi @momosoiu

On 3.2.X we change how this perform SB health check. Now we use the management client to get information about the topic / queue / .. and this permission is mandatory.

momosoiu commented 4 years ago

Hi @unaizorrilla,

thank you for the quick response. I have reverted to 3.1.1 for now.

My concern is that this permission is to much for a health check.

Is this something that will remain like this for never versions?

unaizorrilla commented 4 years ago

Hi @momosoiu

Well, previously we use scheduler messages but this introduce some other issues! If you know any other way to check the health status of topic/queue we are happy to check!

ArthurMPC commented 3 years ago

I'm with the same problem... I think the healthcheck should not require the manage privilege of the queue... maybe the implementation of the health check should initiate a QueueCliente instead of a ManagerClient.

darjanbogdan commented 2 years ago

Encountered the same issue and share the same thoughts that Manage policy shouldn't be required for these kind of operations. In case company has strong permission policies, it's not possible to elevate permission just for the health check, so in our case we can't rely on these checks unfortunately.

There is a duplicate: https://github.com/Xabaril/AspNetCore.Diagnostics.HealthChecks/issues/727 with the same conclusions

Would IsClosed property be good enough to use instead?

brunohdossantos commented 2 years ago

I'm having the same problem, could you give more attention. As a good practice, connections should not have "Manage" permission, they should have permission, for example, only "listen" or "send" according to their purpose.